how to perform "dry-run" authorization check in .NET Core?

Question

Consider that I have .NET Controller with Policy-based authorization:

public class ImportantController: Controller {
    [HttpGet]
    [Authorize(Policy = "CanAccessVIPArea")]
    public IActionResult ShowInformation() {
        ...
        return OK(VipData);
    }

    [HttpPost]
    [Authorize(Policy = "CanChangeVIPData")]
    public IActionResult SaveInformation([FromBody] VipData) {
        ...
        return CreatedAtAction(...);
    }
}

Obviously, the real example is much more complex; I apologize if my simplification leads to too much make-believe in it. Also, real application is SPA with Angular front end; but I don't think it makes any difference for the purposes of this question.

When the user calls ShowInformation() I show a lot of data. On that page I have Save button that calls SaveInformation(). Authorization middleware checks for the right policy and it all works fine.

The problem is that by the time the user presses Save, she entered a lot of data, only to find out that she doesn't have the permissions to save. Obviously, leading to bad experience. I want to check for permissions on SaveInformation in the middleware that gets invoked when the user calls ShowInformation. I would prefer not to check for the hardcoded policy because it is on the server and it can change (we have pretty sophisticated permission management system that manipulates permissions at runtime). Invocation of SaveInformation is in the same Angular service as ShowInformation, and it is very easy to check...

I would like to invoke something like /api/SaveInformation?dryrun that will short-circuit the pipeline after authorization middleware with success or failure.

Answer 1

You can inject an IAuthorizationService and ask to evaluate a policy by name:

public class ImportantController: Controller 
{
    private readonly IAuthorizationService authorization;

    public ImportantController(IAuthorizationService authorization)
    {
        this.authorization = authorization;
    }

    public async Task<IActionResult> ShowInformation() 
    {
        // ...
        var result = await authorizationService.AuthorizeAsync(User, "IsLucky"); 

        return OK(VipData);
    }
}

Answer 2

My pratice is to include all permission claims in the id token, when the user first login to the system, the id token will return to the client side. The client side then render the page according to the permission claims.